Skip to main content

10. Security Considerations

Overview

This section discusses security considerations for Kerberos implementations and deployments. Understanding these considerations is essential for secure operation.

Fundamental Security Properties

What Kerberos Provides

  • Authentication of principals
  • Protection against eavesdropping (with encryption)
  • Protection against tampering (with integrity protection)
  • Replay protection (with timestamps and nonces)

What Kerberos Does NOT Provide

  • Protection against denial of service
  • Protection if principals' keys are compromised
  • Complete protection against password guessing
  • Authorization (only authentication)

Cryptographic Considerations

Key Management

  • Long-term keys must be kept secret
  • Key derivation from passwords creates vulnerability
  • Strong passwords essential
  • Key compromise has broad impact

Algorithm Selection

  • Use strong encryption algorithms
  • Deprecate weak algorithms
  • Follow current cryptographic best practices
  • Plan for algorithm agility

Clock Synchronization

Requirements

  • Clocks must be loosely synchronized
  • Clock skew tolerance creates replay window
  • Secure time synchronization essential
  • NTP or similar must be secured

Network Considerations

DNS Security

  • DNS responses may not be trustworthy
  • DNSSEC recommended for KDC discovery
  • Hostname canonicalization risks
  • Service principal name validation critical

Address Restrictions

  • IP addresses can be spoofed
  • NAT complicates address-based restrictions
  • Consider addressless tickets
  • Don't rely solely on addresses for authorization

Cross-Realm Authentication

Trust Considerations

  • Transited realm path must be verified
  • Untrusted realms can compromise authentication
  • Application servers should validate transited field
  • Inter-realm keys establish trust relationships

Password-Based Authentication

Vulnerabilities

  • Offline dictionary attacks possible
  • Pre-authentication reduces but doesn't eliminate risk
  • Strong password policies essential
  • Consider additional authentication factors

Ticket Management

Credential Storage

  • Long-lived tickets increase exposure
  • Renewable tickets balance lifetime and security
  • Secure credential cache essential
  • Forward secrecy considerations

Ticket Forwarding

  • Forwarded credentials grant broad access
  • Only forward to trusted services
  • OK-AS-DELEGATE flag provides guidance
  • Limit credential forwarding

Implementation Security

Common Pitfalls

  • Buffer overflows in message parsing
  • Time-of-check to time-of-use issues
  • Side-channel attacks on cryptography
  • Random number generation weaknesses

Best Practices

  • Validate all inputs
  • Use constant-time comparisons
  • Secure random number generation
  • Regular security updates

Operational Security

Key Distribution

  • Initial key establishment must be secure
  • Out-of-band key distribution
  • Password enrollment procedures
  • Key rotation policies

Monitoring and Auditing

  • Log authentication events
  • Monitor for unusual activity
  • Incident response procedures
  • Compromise detection and response

Deployment Considerations

  • Balance security and usability
  • Defense in depth
  • Regular security assessments
  • Follow principle of least privilege

Reference

For comprehensive security discussion, refer to RFC 4120 Section 10.

Last updated on